KADMIN(8) UNIX System V KADMIN(8)
NAME
kadmin - Kerberos V5 database administration program
SYNOPSYS
kadmin
[-r realm] [-p principal] [-q query]
[[-c cache_name] | [-k [-t keytab]]] [-w password] [-s
admin_server[:port]
kadmin.local [-r realm] [-p principal] [-q query]
[-d dbname] [-e "enc:salt ..."] [-m]
DESCRIPTION
kadmin and kadmin.local are command-line interfaces to the
Kerberos V5 KADM5 administration system. Both kadmin and
kadmin.local provide identical functionalities; the
difference is that kadmin.local runs on the master KDC and
does not use Kerberos to authenticate to the database.
Except as explicitly noted otherwise, this man page will use
kadmin to refer to both versions. kadmin provides for the
maintenance of Kerberos principals, KADM5 policies, and
service key tables (keytabs).
The remote version uses Kerberos authentication and an
encrypted RPC, to operate securely from anywhere on the
network. It authenticates to the KADM5 server using the
service principal kadmin/admin. If the credentials cache
contains a ticket for the kadmin/admin principal, and the -c
credentials_cache option is specified, that ticket is used
to authenticate to KADM5. Otherwise, the -p and -k options
are used to specify the client Kerberos principal name used
to authenticate. Once kadmin has determined the principal
name, it requests a kadmin/admin Kerberos service ticket
from the KDC, and uses that service ticket to authenticate
to KADM5.
The local client kadmin.local, is intended to run directly
on the master KDC without Kerberos authentication. The
local version provides all of the functionality of the now
obsolete kdb5_edit(8), except for database dump and load,
which is now provided by the kdb5_util(8) utility.
OPTIONS
-r realm
Use realm as the default database realm.
-p principal
Use principal to authenticate. Otherwise, kadmin will
append "/admin" to the primary principal name of the
default ccache, the value of the USER environment
variable, or the username as obtained with getpwuid, in
order of preference.
Page 1 (printed 4/3/05)
KADMIN(8) UNIX System V KADMIN(8)-k Use a keytab to decrypt the KDC response instead of
prompting for a password on the TTY. In this case, the
default principal will be host/hostname. If there is
not a keytab specified with the -t option, then the
default keytab will be used.
-t keytab
Use keytab to decrypt the KDC response. This can only
be used with the -k option.
-c credentials_cache
Use credentials_cache as the credentials cache. The
credentials_cache should contain a service ticket for
the kadmin/admin service; it can be acquired with the
kinit(1) program. If this option is not specified,
kadmin requests a new service ticket from the KDC, and
stores it in its own temporary ccache.
-w password
Use password instead of prompting for one on the TTY.
Note: placing the password for a Kerberos principal
with administration access into a shell script can be
dangerous if unauthorized users gain read access to the
script.
-q query
pass query directly to kadmin, which will perform query
and then exit. This can be useful for writing scripts.
-d dbname
Specifies the name of the Kerberos database.
-s admin_server[:port]
Specifies the admin server which kadmin should contact.
-m Do not authenticate using a keytab. This option will
cause kadmin to prompt for the master database
password.
-e enc:salt_list
Sets the list of encryption types and salt types to be
used for any new keys created.
DATE FORMAT
Various commands in kadmin can take a variety of date
formats, specifying durations or absolute times. Examples
of valid formats are:
1 month ago
2 hours ago
400000 seconds ago
Page 2 (printed 4/3/05)
KADMIN(8) UNIX System V KADMIN(8)
last year
this Monday
next Monday
yesterday
tomorrow
now
second Monday
a fortnight ago
3/31/92 10:00:07 PST
January 23, 1987 10:05pm
22:00 GMT
Dates which do not have the "ago" specifier default to being
absolute dates, unless they appear in a field where a
duration is expected. In that case the time specifier will
be interpreted as relative. Specifying "ago" in a duration
may result in unexpected behavior.
COMMANDS
add_principal [options] newprinc
creates the principal newprinc, prompting twice for a
password. If no policy is specified with the -policy
option, and the policy named "default" exists, then
that policy is assigned to the principal; note that the
assignment of the policy "default" only occurs
automatically when a principal is first created, so the
policy "default" must already exist for the assignment
to occur. This assignment of "default" can be
suppressed with the -clearpolicy option. This command
requires the add privilege. This command has the
aliases addprinc and ank. The options are:
-expire expdate
expiration date of the principal
-pwexpire pwexpdate
password expiration date
-maxlife maxlife
maximum ticket life for the principal
-maxrenewlife maxrenewlife
maximum renewable life of tickets for the
principal
-kvno kvno
explicity set the key version number.
-policy policy
policy used by this principal. If no policy is
supplied, then if the policy "default" exists and
the -clearpolicy is not also specified, then the
Page 3 (printed 4/3/05)
KADMIN(8) UNIX System V KADMIN(8)
policy "default" is used; otherwise, the principal
will have no policy, and a warning message will be
printed.
-clearpolicy
-clearpolicy prevents the policy "default" from
being assigned when -policy is not specified.
This option has no effect if the policy "default"
does not exist.
{-|+}allow_postdated
-allow_postdated prohibits this principal from
obtaining postdated tickets. (Sets the
KRB5_KDB_DISALLOW_POSTDATED flag.)
+allow_postdated clears this flag.
{-|+}allow_forwardable
-allow_forwardable prohibits this principal from
obtaining forwardable tickets. (Sets the
KRB5_KDB_DISALLOW_FORWARDABLE flag.)
+allow_forwardable clears this flag.
{-|+}allow_renewable
-allow_renewable prohibits this principal from
obtaining renewable tickets. (Sets the
KRB5_KDB_DISALLOW_RENEWABLE flag.)
+allow_renewable clears this flag.
{-|+}allow_proxiable
-allow_proxiable prohibits this principal from
obtaining proxiable tickets. (Sets the
KRB5_KDB_DISALLOW_PROXIABLE flag.)
+allow_proxiable clears this flag.
{-|+}allow_dup_skey
-allow_dup_skey Disables user-to-user
authentication for this principal by prohibiting
this principal from obtaining a session key for
another user. (Sets the
KRB5_KDB_DISALLOW_DUP_SKEY flag.) +allow_dup_skey
clears this flag.
{-|+}requires_preauth
+requires_preauth requires this principal to
preauthenticate before being allowed to kinit.
(Sets the KRB5_KDB_REQUIRES_PRE_AUTH flag.) -
requires_preauth clears this flag.
{-|+}requires_hwauth
+requires_hwauth requires this principal to
preauthenticate using a hardware device before
being allowed to kinit. (Sets the
Page 4 (printed 4/3/05)
KADMIN(8) UNIX System V KADMIN(8)
KRB5_KDB_REQUIRES_HW_AUTH flag.) -requires_hwauth
clears this flag.
{-|+}allow_svr
-allow_svr prohibits the issuance of service
tickets for this principal. (Sets the
KRB5_KDB_DISALLOW_SVR flag.) +allow_svr clears
this flag.
{-|+}allow_tgs_req
-allow_tgs_req specifies that a Ticket-Granting
Service (TGS) request for a service ticket for
this principal is not permitted. This option is
useless for most things. +allow_tgs_req clears
this flag. The default is +allow_tgs_req. In
effect, -allow_tgs_req sets the
KRB5_KDB_DISALLOW_TGT_BASED flag on the principal
in the database.
{-|+}allow_tix
-allow_tix forbids the issuance of any tickets for
this principal. +allow_tix clears this flag. The
default is +allow_tix. In effect, -allow_tix sets
the KRB5_KDB_DISALLOW_ALL_TIX flag on the
principal in the database.
{-|+}needchange
+needchange sets a flag in attributes field to
force a password change; -needchange clears it.
The default is -needchange. In effect,
+needchange sets the KRB5_KDB_REQUIRES_PWCHANGE
flag on the principal in the database.
{-|+}password_changing_service
+password_changing_service sets a flag in the
attributes field marking this as a password change
service principal (useless for most things).
-password_changing_service clears the flag. This
flag intentionally has a long name. The default
is -password_changing_service. In effect,
+password_changing_service sets the
KRB5_KDB_PWCHANGE_SERVICE flag on the principal in
the database.
-randkey
sets the key of the principal to a random value
-pw password
sets the key of the principal to the specified
string and does not prompt for a password. Note:
using this option in a shell script can be
dangerous if unauthorized users gain read access
Page 5 (printed 4/3/05)
KADMIN(8) UNIX System V KADMIN(8)
to the script.
-e "enc:salt ..."
uses the specified list of enctype-salttype pairs
for setting the key of the principal. The quotes
are necessary if there are multiple
enctype-salttype pairs. This will not function
against kadmin daemons earlier than krb5-1.2.
EXAMPLE:
kadmin: addprinc tlyu/admin
WARNING: no policy specified for "tlyu/admin@BLEEP.COM";
defaulting to no policy.
Enter password for principal tlyu/admin@BLEEP.COM:
Re-enter password for principal tlyu/admin@BLEEP.COM:
Principal "tlyu/admin@BLEEP.COM" created.
kadmin:
ERRORS:
KADM5_AUTH_ADD (requires "add" privilege)
KADM5_BAD_MASK (shouldn't happen)
KADM5_DUP (principal exists already)
KADM5_UNK_POLICY (policy does not exist)
KADM5_PASS_Q_* (password quality violations)
delete_principal [-force] principal
deletes the specified principal from the database.
This command prompts for deletion, unless the -force
option is given. This command requires the delete
privilege. Aliased to delprinc.
EXAMPLE:
kadmin: delprinc mwm_user
Are you sure you want to delete the principal
"mwm_user@BLEEP.COM"? (yes/no): yes
Principal "mwm_user@BLEEP.COM" deleted.
Make sure that you have removed this principal from
all ACLs before reusing.
kadmin:
ERRORS:
KADM5_AUTH_DELETE (reequires "delete" privilege)
KADM5_UNK_PRINC (principal does not exist)
modify_principal [options] principal
modifies the specified principal, changing the fields
as specified. The options are as above for
add_principal, except that password changing and flags
related to password changing are forbidden by this
command. In addition, the option -clearpolicy will
clear the current policy of a principal. This command
Page 6 (printed 4/3/05)
KADMIN(8) UNIX System V KADMIN(8)
requires the modify privilege. Aliased to modprinc.
ERRORS:
KADM5_AUTH_MODIFY (requires "modify" privilege)
KADM5_UNK_PRINC (principal does not exist)
KADM5_UNK_POLICY (policy does not exist)
KADM5_BAD_MASK (shouldn't happen)
change_password [options] principal
changes the password of principal. Prompts for a new
password if neither -randkey or -pw is specified.
Requires the changepw privilege, or that the principal
that is running the program to be the same as the one
changed. Aliased to cpw. The following options are
available:
-randkey
sets the key of the principal to a random value
-pw password
set the password to the specified string. Not
recommended.
-e "enc:salt ..."
uses the specified list of enctype-salttype pairs
for setting the key of the principal. The quotes
are necessary if there are multiple
enctype-salttype pairs. This will not function
against kadmin daemons earlier than krb5-1.2.
-keepold
Keeps the previous kvno's keys around. There is
no easy way to delete the old keys, and this flag
is usually not necessary except perhaps for TGS
keys. Don't use this flag unless you know what
you're doing.
EXAMPLE:
kadmin: cpw systest
Enter password for principal systest@BLEEP.COM:
Re-enter password for principal systest@BLEEP.COM:
Password for systest@BLEEP.COM changed.
kadmin:
ERRORS:
KADM5_AUTH_MODIFY (requires the modify privilege)
KADM5_UNK_PRINC (principal does not exist)
KADM5_PASS_Q_* (password policy violation errors)
KADM5_PADD_REUSE (password is in principal's password
history)
KADM5_PASS_TOOSOON (current password minimum life not
Page 7 (printed 4/3/05)
KADMIN(8) UNIX System V KADMIN(8)
expired)
get_principal [-terse] principal
gets the attributes of principal. Requires the inquire
privilege, or that the principal that is running the
the program to be the same as the one being listed.
With the -terse option, outputs fields as quoted tab-
separated strings. Alias getprinc.
EXAMPLES:
kadmin: getprinc tlyu/admin
Principal: tlyu/admin@BLEEP.COM
Expiration date: [never]
Last password change: Mon Aug 12 14:16:47 EDT 1996
Password expiration date: [none]
Maximum ticket life: 0 days 10:00:00
Maximum renewable life: 7 days 00:00:00
Last modified: Mon Aug 12 14:16:47 EDT 1996 (bjaspan/admin@BLEEP.COM)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 2
Key: vno 1, DES cbc mode with CRC-32, no salt
Key: vno 1, DES cbc mode with CRC-32, Version 4
Attributes:
Policy: [none]
kadmin: getprinc -terse systest
systest@BLEEP.COM 3 86400 604800 1
785926535 753241234 785900000
tlyu/admin@BLEEP.COM 786100034 0 0
kadmin:
ERRORS:
KADM5_AUTH_GET (requires the get (inquire) privilege)
KADM5_UNK_PRINC (principal does not exist)
list_principals [expression]
Retrieves all or some principal names. Expression is a
shell-style glob expression that can contain the wild-
card characters ?, *, and []'s. All principal names
matching the expression are printed. If no expression
is provided, all principal names are printed. If the
expression does not contain an "@" character, an "@"
character followed by the local realm is appended to
the expression. Requires the list priviledge. Alias
listprincs, get_principals, get_princs.
EXAMPLES:
kadmin: listprincs test*
test3@SECURE-TEST.OV.COM
test2@SECURE-TEST.OV.COM
Page 8 (printed 4/3/05)
KADMIN(8) UNIX System V KADMIN(8)
test1@SECURE-TEST.OV.COM
testuser@SECURE-TEST.OV.COM
kadmin:
add_policy [options] policy
adds the named policy to the policy database. Requires
the add privilege. Aliased to addpol. The following
options are available:
-maxlife time
sets the maximum lifetime of a password
-minlife time
sets the minimum lifetime of a password
-minlength length
sets the minimum length of a password
-minclasses number
sets the minimum number of character classes
allowed in a password
-history number
sets the number of past keys kept for a principal
ERRORS:
KADM5_AUTH_ADD (requires the add privilege)
KADM5_DUP (policy already exists)
delete_policy [-force] policy
deletes the named policy. Prompts for confirmation
before deletion. The command will fail if the policy
is in use by any principals. Requires the delete
privilege. Alias delpol.
EXAMPLE:
kadmin: del_policy guests
Are you sure you want to delete the policy "guests"?
(yes/no): yes
kadmin:
ERRORS:
KADM5_AUTH_DELETE (requires the delete privilege)
KADM5_UNK_POLICY (policy does not exist)
KADM5_POLICY_REF (reference count on policy is not zero)
modify_policy [options] policy
modifies the named policy. Options are as above for
add_policy. Requires the modify privilege. Alias
modpol.
Page 9 (printed 4/3/05)
KADMIN(8) UNIX System V KADMIN(8)
ERRORS:
KADM5_AUTH_MODIFY (requires the modify privilege)
KADM5_UNK_POLICY (policy does not exist)
get_policy [-terse] policy
displays the values of the named policy. Requires the
inquire privilege. With the -terse flag, outputs the
fields as quoted strings separated by tabs. Alias
getpol.
EXAMPLES:
kadmin: get_policy admin
Policy: admin
Maximum password life: 180 days 00:00:00
Minimum password life: 00:00:00
Minimum password length: 6
Minimum number of password character classes: 2
Number of old keys kept: 5
Reference count: 17
kadmin: get_policy -terse admin
admin 15552000 0 6 2 5 17
kadmin:
ERRORS:
KADM5_AUTH_GET (requires the get privilege)
KADM5_UNK_POLICY (policy does not exist)
list_policies [expression]
Retrieves all or some policy names. Expression is a
shell-style glob expression that can contain the wild-
card characters ?, *, and []'s. All policy names
matching the expression are printed. If no expression
is provided, all existing policy names are printed.
Requires the list priviledge. Alias listpols,
get_policies, getpols.
EXAMPLES:
kadmin: listpols
test-pol
dict-only
once-a-min
test-pol-nopw
kadmin: listpols t*
test-pol
test-pol-nopw
kadmin:
ktadd [-k keytab] [-q] [-e keysaltlist]
[principal | -glob princ-exp] [...]
Adds a principal or all principals matching princ-exp
to a keytab, randomizing each principal's key in the
Page 10 (printed 4/3/05)
KADMIN(8) UNIX System V KADMIN(8)
process. Requires the inquire and changepw privileges.
An entry for each of the principal's unique encryption
types is added, ignoring multiple keys with the same
encryption type but different salt types. If the -k
argument is not specified, the default keytab
/etc/krb5.keytab is used. If the -q option is
specified, less verbose status information is
displayed.
The -glob option requires the list privilege. princ-
exp follows the same rules described for the
list_principals command.
EXAMPLE:
kadmin: ktadd -k /tmp/foo-new-keytab host/foo.mit.edu
Entry for principal host/foo.mit.edu@ATHENA.MIT.EDU with
kvno 3, encryption type DES-CBC-CRC added to keytab
WRFILE:/tmp/foo-new-keytab
kadmin:
ktremove [-k keytab] [-q] principal [kvno | all | old]
Removes entries for the specified principal from a
keytab. Requires no permissions, since this does not
require database access. If the string "all" is
specified, all entries for that principal are removed;
if the string "old" is specified, all entries for that
principal except those with the highest kvno are
removed. Otherwise, the value specified is parsed as
an integer, and all entries whose kvno match that
integer are removed. If the -k argument is not
specifeid, the default keytab /etc/krb5.keytab is used.
If the -q option is specified, less verbose status
information is displayed.
EXAMPLE:
kadmin: ktremove -k /usr/local/var/krb5kdc/kadmind.keytab kadmin/admin
Entry for principal kadmin/admin with kvno 3 removed
from keytab WRFILE:/usr/local/var/krb5kdc/kadmind.keytab.
kadmin:
FILES
principal.db default name for Kerberos principal
database
<dbname>.kadm5 KADM5 administrative database. (This
would be "principal.kadm5", if you use
the default database name.) Contains
policy information.
<dbname>.kadm5.lock lock file for the KADM5 administrative
Page 11 (printed 4/3/05)
KADMIN(8) UNIX System V KADMIN(8)
database.
This file works backwards from most
other lock files. I.e., kadmin will
exit with an error if this file does
not exist.
kadm5.acl file containing list of principals and
their kadmin administrative privileges.
See kadmind(8) for a description.
kadm5.keytab keytab file for kadmin/admin principal.
kadm5.dict file containing dictionary of strings
explicitly disallowed as passwords.
HISTORY
The kadmin prorgam was originally written by Tom Yu at MIT,
as an interface to the OpenVision Kerberos administration
program.
SEE ALSO
kerberos(1), kpasswd(1), kadmind(8)
BUGS
Command output needs to be cleaned up.
There is no way to delete a key kept around from a
"-keepold" option to a password-changing command, other than
to do a password change without the "-keepold" option, which
will of course cause problems if the key is a TGS key.
There will be more powerful key-manipulation commands in the
future.
Page 12 (printed 4/3/05)